System and Method for Creating Bgp Route-Based Network Traffic Profiles to Detect Spoofed Traffic

1. A method in a system for creating source profiles to detect spoofed traffic, the method comprising: obtaining, by the system, a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target Autonomous System (AS); initializing, by the system, one or more AS sets with last hop ASes; enhancing, by the system, the AS set(s) by connecting the AS set(s) to routers; for each enhanced AS set, filtering by the system observed traffic flows, wherein the filtering observed traffic flows comprises established Transmission Control Protocol (TCP) filtering where any TCP traffic flow without SYN, RST and FIN flags set are considered when creating the source profiles and all other traffic flows are ignored; and, using, by the system, the filtered flows to associate enhanced AS set(s) with network monitoring points to create the source profiles.

2. The method according to claim 1 , wherein the filtering observed traffic flows further comprises destination bogon filtering where the observed traffic flows to destinations for which flows with bogon source addresses have been observed within a predetermined amount of time are ignored when creating the source profiles.

3. The method according to claim 1 , wherein the routers are border gateway protocol routers.

4. The method according to claim 1 , wherein the last hop ASes are one hop away from the target AS.

5. A system for creating source profiles to detect spoofed traffic comprises: a processor; and, a memory that stores processor-executable instructions where the processor interfaces with the memory and executes the processor-executable instructions to enable following operations: obtain a routing path obtained for data to traverse nodes using traffic profiles, each routing path comprising at least a target Autonomous System (AS), initialize one or more AS sets with last hop ASes, enhance the AS set(s) by connecting the AS set(s) to routers, for each enhanced AS set, filter observed traffic flows, wherein the filtering observed traffic flows comprises established Transmission Control Protocol (TCP) filtering where any TCP traffic flow without SYN, RST and FIN flags set are considered when creating the source profiles and all other traffic flows are ignored, and, use the filtered flows to associate enhanced AS set(s) with network monitoring points to create the source profiles.

6. The system according to claim 5 , wherein the filter of observed traffic flows further comprises destination bogon filtering where the observed traffic flows to destinations for which flows with bogon source addresses have been observed within a predetermined amount of time are ignored when creating the source profiles.

7. The system according to claim 5 , wherein the routers are border gateway protocol routers.

8. The system according to claim 5 , wherein the last hop ASes are one hop away from the target AS.

9. A system for creating source profiles to detect spoofed traffic comprises: a processor; and, a memory that stores processor-executable instructions where the processor interfaces with the memory and executes the processor-executable instructions to enable following operations: obtaining Autonomous System (AS) paths, each AS path is of form AS 1 AS 2 . . . AS t-2 AS t-1 AS t . . . AS n where AS t denotes a target AS; identifying any AS t-1 preceding the target AS t as a last hop AS for target AS t ; initializing an AS set for each last hop AS t-1 ; adding any ASi (i=1 . . . t−2) preceding the last hop ASt −1 to the AS set associated with that last hop ASt −1 ; filtering observed traffic flows, wherein the filtering comprises established Transmission Control Protocol (TCP) filtering where any TCP traffic flow without SYN, RST and FIN flags set are considered when creating the source profiles and all other traffic flows are ignored, and, extracting a source AS number for the traffic flow that was not filtered out to identify one or more AS sets that contain the source AS number and then associate the identified one or more AS sets with networking points to create the source profiles.

10. The system according to claim 9 , wherein the filtering of the observed traffic flows further comprises destination bogon filtering where the observed traffic flows to destinations for which flows with bogon source addresses have been observed within a predetermined amount of time are ignored when creating the source profiles.

11. The system according to claim 9 , wherein the ASes are routers.

12. The system according to claim 9 , wherein the last hop ASes are one hop away from the target AS.